CVE-2023-3277 in MStore API Plugin
Summary
by MITRE • 11/03/2023
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-3277 affects the MStore API plugin for WordPress, a widely used e-commerce solution that enables mobile application functionality for WordPress sites. This security flaw exists in versions up to and including 4.10.7, representing a critical weakness in the plugin's authentication mechanisms that directly impacts user account security and system integrity. The vulnerability specifically targets the Apple login feature implementation, which serves as a critical authentication pathway for users accessing the platform through mobile applications.
The technical root cause of this vulnerability stems from inadequate validation and authorization checks within the Apple login functionality. The flaw allows attackers to exploit the authentication process by simply knowing a target user's email address, bypassing the normal authentication requirements that should normally prevent unauthorized access. This improper implementation creates a privilege escalation vector where unauthenticated attackers can gain access to any user account on the system, effectively undermining the entire user authentication framework. The vulnerability demonstrates a clear failure in the principle of least privilege and proper access control implementation, which are fundamental security requirements defined by CWE-284.
The operational impact of this vulnerability is severe and far-reaching for WordPress site administrators and end users. Attackers can leverage this flaw to access any user account on the affected system, potentially gaining access to sensitive customer data, personal information, and administrative privileges. This unauthorized access capability extends beyond simple account compromise to include potential data exfiltration, account manipulation, and further exploitation within the WordPress environment. The vulnerability's impact is amplified by its ease of exploitation since no authentication credentials are required beyond knowing a user's email address, making it particularly dangerous for systems with numerous user accounts.
This vulnerability aligns with several ATT&CK framework techniques including T1078 Valid Accounts for maintaining persistence and T1566 Phishing for initial access, while also representing a failure in the authentication and access control domains. The weakness directly violates security standards established by OWASP Top Ten, specifically addressing the issue of broken authentication and session management. Organizations using the MStore API plugin should immediately implement mitigations including upgrading to the patched version, implementing additional authentication layers, and monitoring for suspicious login patterns. The vulnerability also highlights the importance of proper input validation and authentication flow design in mobile application integrations, particularly when dealing with third-party authentication providers such as Apple's authentication system.